Questioning ‘Adequacy’ (Pt II) – South Korea
(2018) 151 Privacy Laws & Business International Report.
8 Pages Posted: 22 Jan 2018 Last revised: 13 Jul 2018
Date Written: January 15, 2018
The first part of this article http://ssrn.com/abstract=3096370 summarised the criteria and procedures by which the European Union has assessed the ‘adequacy’ of data protection in third countries, and considered, in light of those criteria, some issues which could arise in relation to Japan’s current application.
Korea’s data protection system was assessed as the strongest in Asia in 2014, and since then its enforcement aspects have been further strengthened. This article considers two main issues which could arise in relation to the EU’s assessment of its adequacy, both of which have some similarity to Japan. Questions concerning the necessary independence and powers of a data protection authority have already led to the application being ‘scaled back’ to cover only those parts of the private sector subject to the ‘Network Act’, which is administered by the Korean Communications Commission (KCC).
The first issue is whether ‘personal information’ has a broad enough scope under the Act. It only applies to information which can a identify a specific individual ‘when it is easily combined with other information’, so ‘easily’ excludes some information. Second, a contested set of Guidelines for De-identification of Personal Data, without clear legal status, supposedly allow some personal data to be partially removed from the scope of the Network Act, when followed. These procedures may allow a broader exemption from data privacy laws that would be allowed in the EU.
The second issue is whether Korea’s provisions controlling personal data exports, and particularly ‘onward transfers’ of personal data originally received from the EU, are strong enough. The Network Act currently requires data subjects to be informed of details of data exports before providing consent, but not of the state of the law in the recipient country. It is questionable whether this would satisfy EU requirements. Proposed amendments to the law to require foreign data recipients to do likewise before further exports have questionable enforceability. The proposed amendments also include two new mechanisms under which it is unclear whether data exports may take place which could potentially be used to allow transfers to APEC-CBPRs compliant companies (at present, those in the US) with lower protective standards. Such provisions need clarification in the course of an adequacy assessment.
The two parts of this article illustrate why, while adequacy assessment is not a black box, it is not very transparent in its principles or operation. Consequently, independent analyses need to be made of issues requiring consideration by EU authorities in relation to their assessments of particular countries, as part of more general public debate.
A concluding observations is that the way in which the EU deals with the effect on adequacy of laws facilitating exports to APEC-CBPRs compliant companies may be of great importance to the future of the EU’s concept of ‘adequacy’ as a means of protecting the rights of EU citizens by insisting upon a high standard of data protection in foreign countries where their data will be processed.
Keywords: data protection, privacy, European Union, EU, South Korea, adeqacy, APEC CBPRs
Suggested Citation: Suggested Citation